Sec+ 601 study guide Part 9 Flashcards

1
Q

Which of the following environments minimizes end-user disruption and MOST likely to be used to assess the impacts of any database migrations or major system changes by using the final version of the code?

A. Staging
B. Test
C. Production
D. Development

A

B. Test

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

An attacker is attempting to exploit users by creating a fake website with the URL
www.validwebsite.com. The attacker’s intent is to imitate the look and feel of a legitimate website to obtain personal information from unsuspecting users.

Which of the following social engineering attacks does this describe?

A. Information elicitation
B. Typo squatting
C. Impersonation
D. Watering-hole attack

A

B. Typo squatting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A security operations analyst is using the company’s SIEM solution to correlate alerts. Which of
the following stages of the incident response process is this an example of?

A. Eradiction
B. Recovery
C. Identification
D. Preparation

A

C. Identification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

To reduce and overhead, an organization wants to move from an on-premises email solution to a cloud-based email solution. At this time no other services will be moving. Which of the following cloud models would BEST meet the needs of the organization?

A. Maas
B. laaS
C. SaaS
D. PaaS

A

B. laaS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A security analyst is reviewing the following command-line output:

Internet Address. Physical Address Type

  1. 168.1.1 aa-bb-cc-00-11-22. dynamic
  2. 168.1.2 aa-bb-cc-00-11-22 dynamic
  3. 168.1.3 aa-bb-cc-00-11-22 dynamic
  4. 168.1.4 aa-bb-cc-00-11-22 dynamic
  5. 168.1.5 aa-bb-cc-00-11-22 dynamic
  • -output omitted–
    192. 168.1.251 aa-bb-cc-00-11-22. dynamic
    192. 168.1.252 aa-bb-cc-00-11-22 dynamic
    192. 168.1.253 aa-bb-cc-00-11-22 dynamic
    192. 168.1.254 aa-bb-cc-00-11-22 dynamic
    192. 168.1.255. ff-ff-ff-ff-ff-ff dynamic
Which of the following is the analyst observing?
A. ICMP spoofing
B. URL redirection
C. MAC address cloning
D. DNS poisoning
A

C. MAC address cloning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A security analyst is reviewing logs on a server and observes the following output:

01/01/2020 03:33:23 admin attempted login with password sneak
01/01/2020 03:33:32 admin attempted login with password sneaked
01/01/2020 03:33:41 admin attempted login with password sneaker
01/01/2020 03:33:50 admin attempted login with password sneer
01/01/2020 03:33:59 admin attempted login with password sneeze
01/01/2020 03:34:08 admin attempted login with password sneezy

Which of the following is the security analyst observing?
A. A rainbow table attack
B. A password-spraying attack
C. A dictionary attack
D. A keylogger attack
A

C. A dictionary attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A symmetric encryption algorithm is BEST suited for:

A. key-exchange scalability
B. protecting large amounts of data
C. providing hashing capabilities
D. implementing non-repudiation

A

B. protecting large amounts of data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

An engineer wants to access sensitive data from a corporate-owned mobile device. Personal data is not allowed on the device.

Which of the following MDM configurations must be considered when the engineer travels for business?

A. Screen locks
B. Application management
C. Geofencing
D. Containerization

A

D. Containerization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

An enterprise has hired an outside security firm to facilitate penetration testing on its network and applications. The firm has agreed to pay for each vulnerability that is discovered. Which of the following BEST represents the type of testing that is being used?

A. White-box
B. Red-team
C. Bug bounty
D. Gray-box
E. Black-box
A

C. Bug bounty

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

An organization blocks user access to command-line interpreters, but hackers still managed to invoke the interpreters using native administrative tools. Which of the following should the security team do to prevent this from happening in the future?

A. Implement HIPS to block inbound and outbound SMB ports 139 and 445.
B. Trigger a SIEM alert whenever the native OS tools are executed by the user.
C. Disable the built-in OS utilities as long as they are not needed for functionality.
D. Configure the AV to quarantine the native OS tools whenever they are executed.

A

C. Disable the built-in OS utilities as long as they are not needed for functionality.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

compatibility issues. The OSs are still supported by the vendor, but the industrial software is no longer supported. The Chief Information Security Officer (CISO) has created a resiliency plan for these systems that will allow OS patches to be installed in a non-production environment, while also creating backups of the systems for recovery. Which of the following resiliency techniques will provide these capabilities?

A. Redundancy
B. RAID 1+5
C. Virtual machines
D. Full backups

A

D. Full backups

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A Chief Executive Officer’s (CEO) personal information was stolen in a social engineering attack.

Which of the following sources would reveal if the CEO’s personal information is for sale?

A. Automated information sharing
B. Open-source intelligence
C. The dark web
D. Vulnerability databases

A

C. The dark web

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A security researcher is tracking an adversary by noting its attacks and techniques based on its capabilities, infrastructure, and victims. Which of the following is the researcher MOST likely using?

A. The Diamond Model of Intrusion Analysis
B. The Cyber Kill Chain
C. The MITRE CVE database
D. The incident response process

A

A. The Diamond Model of Intrusion Analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A company notices that at 10 a.m. every Thursday, three users’ computers become inoperable. The security analyst team discovers a file called where.pdf.exe that runs on system startup. The contents of where.pdf.exe are shown below:
@echo off
if [c:\file.txt] deltree C:\

Based on the above information, which of the following types of malware was discovered?

A. Rootkit
B. Backdoor
C. Logic bomb
D. RAT

A

C. Logic bomb

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A security engineer deploys a certificate from a commercial CA to the RADIUS server for use with the EAP-TLS wireless network. Authentication is failing, so the engineer examines the certificate’s properties:

Issuer: (A commercial CA)Valid from: (yesterday’s date)
Valid to: (one year from yesterday’s date)
Subject: CN=smithco.com
Public key: RSA (2048 bits)
Enhanced key usage: Client authentication (1.3.6.1.5.5.7.3.2)
Key usage: Digital signature, key encipherment (a0)

Which of the following is the MOST likely cause of the failure?
A. The certificate is missing the proper OID.
B. The certificate is missing wireless authentication in key usage.
C. The certificate is self-signed.
D. The certificate has expired.

A

A. The certificate is missing the proper OID.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

The following is an administrative control that would be MOST effective to reduce the occurrence of malware execution?

A. Security awareness training
B. Frequency of NIDS updates
C. Change control procedures
D. EDR reporting cycle

A

A. Security awareness training

17
Q

A security administrator is reviewing the following information from a file that was found on a compromised host:

cat suspiciousfile.txt
www.CompTIA.org\njohn\miloveyou\n$200\nWorking Late\nJohn\nI%20will%20be%20in%20 the%20office%20till%206pm%20to%20finish%20the%20report\n

Which of the following types of malware is MOST likely installed on the compromised host?
A. Keylogger
B. Spyware
C. Trojan
D. Backdoor
E. Rootkit
A

A. Keylogger

18
Q

A user’s laptop is experiencing general slowness following the user’s return from an extended time out of the office. After a week, the security team looks at the laptop, but nothing appears out of order. The only noticeable issue is that svchost.exe keeps launching even after the security team kills the process. After running netstat, the team notes svchost.exe is listening on
port 443. Using an IoC creation tool, a security analyst does the following:

OR--
File MD5 contains adf321122abce28873aad3e12f262a12c
AND
PROCESS name contains svchost.exe
PROCESS arguments does not contain -k
AND
FILENAME contains svchost.exe
FILE DIRECTORY is not %system32%
Based on the IoCs created and the netstat output, which of the following types of malware is
present?
A. Backdoor
B. Crypto-malware
C. Rootkit
D. Logic bomb
A

C. Rootkit

19
Q

After running an online password cracking tool, an attacker recovers the following password:
gh ;j SKSTOi;618&

Based on the above information, which of the following technical controls have been implemented? (Choose two.)

A. Complexity
B. Encryption
C. Hashing
D. Length
E. Salting
F. Stretching

Spaces in Linux systems are considered characters
meeting complexity and length requirements

A

A. Complexity

D. Length

20
Q

An engineer is configuring a wireless network using PEAP for the authentication protocol. Which of the following is required?

A. 802.11n support on the WAP
B. X.509 certificate on the server
C. CCMP support on the network switch
D. TLS 1.0 support on the client

A

B. X.509 certificate on the server

21
Q

A developer has just finished coding a custom web application and would like to test it for bugs by automatically injecting malformed data into it. Which of the following is the developer looking to perform?

A. Fuzzing
B. Stress testing
C. Sandboxing
D. Normalization

A

A. Fuzzing

22
Q

A network administrator wants to gather information on the security of the network servers in the DMZ. The administrator runs the following command:
Telnet www.example.com 80

Which of the following actions is the administrator performing?

A. Grabbing the web server banner
B. Logging into the web server
C. Harvesting cleartext credentials
D. Accessing the web server management console

A

A. Grabbing the web server banner

23
Q

A security analyst is investigating an incident to determine what an attacker was able to do on a compromised laptop. The analyst reviews the following SIEM log:

Host Event ID Event Source Description
PC1 865 Microsoft-Windows-Software- C:\aadf234\aadf234.exe was
Restriction-Policies blocked by Group Policy
PC1 4688 Microsoft-Windows-Security- A new process has been created
Auditing New Process Name:powershell.exe
Creator Process Name: outlook.exe
PC1 4688 Microsoft-Windows-Security A new process has been created
Auditing New Process Name: lat.pal
Creator Process Name:
powershell.exe
PC2 4688 Microsoft-Windows-Security- An account failed to log on
Auditing Logon Type: 3
Security ID: Null STD
Workstation Name: PC1
Authentication Package Name: NTLM

Which of the following describes the method that was used to compromise the laptop?
A. An attacker was able to move laterally from PC1 to PC2 using a pass-the-hash attack
B. An attacker was able to bypass application whitelisting by emailing a spreadsheet attachment with an embedded PowerShell in the file
C. An attacker was able to install malware to the CAasdf234 folder and use it to gam administrator nights and launch Outlook
D. An attacker was able to phish user credentials successfully from an Outlook user profile

A

A. An attacker was able to move laterally from PC1 to PC2 using a pass-the-hash attack

24
Q

A security engineer obtained the following output from a threat intelligence source that recently performed an attack on the company’s server:

GET index.php?page=..2f..2f..2f..2f..2f..2f..2f..2f..2fetc2fpasswd
GET index.php?page=..2f..2f..2f..2f..2f..2f..2f..2f..2..2fetc2fpasswd
GET index.php?page=..2f..2f..2f..2f..2f..2f..2f..2f..2f..2f..2fetc2fpasswd

Which of the following BEST describes this kind of attack?
A. Directory traversal
B. SQL injection
C. API
D. Request forger
A

A. Directory traversal

25
Q

Given the following logs:

[DATA] attacking service ftp on port 21
[ATTEMPT] target 192.168.50.1 - login “admin” - pass “password”
[ATTEMPT] target 192.168.50.1 - login “admin” - pass “access”
[ATTEMPT] target 192.168.50.1 - login “admin” - pass “allow”
[ATTEMPT] target 192.168.50.1 - login “admin” - pass “please”
[ATTEMPT] target 192.168.50.1 - login “admin” - pass “ftp”
[ATTEMPT] target 192.168.50.1 - login “admin” - pass letmein”
[21][ftp] host: 192.168.50.1 login: admin password: letmein
1 of 1 target successfully completed, 1 valid password found

Which of the following BEST describes the type of attack that is occurring?
A. Rainbow table
B. Dictionary
C. Password spraying
D. Pass-the-hash
A

B. Dictionary

26
Q

An end user reports a computer has been acting slower than normal for a few weeks. During an investigation, an analyst determines the system is sending the user’s email address and a ten-digit number to an IP address once a day. The only recent log entry regarding the user’s computer is the following:

Time: 06:32:29 UTC
Event Description: This file meets the ML algorithm’s medium-confidence threshold
Process Blocked: False
File quarantined: False
Operating System: Windows 10
File Name: \Device\HarddiskVolume4\users\jdoe\AppData\Local\Microsoft\
Windows\INetCache\IE\pdftodocx,msi
Connection Details: 35.242.219.204:80

Which of the following is the MOST likely cause of the issue?
A. The end user purchased and installed a PUP from a web browser
B. A bot on the computer is brute forcing passwords against a website
C. A hacker is attempting to exfiltrate sensitive data
D. Ransomware is communicating with a command-and-control server

A

A. The end user purchased and installed a PUP from a web browser

27
Q

A penetration tester is testing passively for vulnerabilities on a company’s network. Which of the following tools should the penetration tester use? (Choose two.)

A. Zenmap
B. Wireshark
C. Nmap
D. tcpdump
E. Nikto
F. Snort
A

C. Nmap

E. Nikto

28
Q

A company has forbidden the use of external media within its headquarters location. A security analyst is working on adding additional repositories to a server in the environment when the analyst notices some odd processes running on the system. The analyst runs a command and sees the following:

$ history
        ifconfig -a
        netstat -n
        pskill 1788
        pskill 914
        mkdir /tmp/1
        mount -u sda101
        /tmp/1
        cp /tmp/1/~/1/
        unmount /tmp/1
        ls -a1 1/1/
        apt-get update
        apt-get upgrade
        clear
Given this output, which of the following security issues has been discovered?
A. A misconfigured HIDS
B. A malware installation
C. A policy violation
D. The activation of a Trojan
A

B. A malware installation

29
Q

A security team received reports of increased latency on a highly utilized
e-commerce server. This led to eventual service unavailability as a result of internal scanning activity. The following web-server log was shared with the team to support this claim:

root@server:~# tail 5 /var/log/httpd-access.log

  1. 168.1.101 – [15/May/2019:10:08:03 +0200] “GET /adjakjaj HTTP/1.1” 404
  2. 168.1.101 – [15/May/2019:10:08:03 +0200] “GET /njknfkjn HTTP/1.1” 404
  3. 168.1.101 – [15/May/2019:10:08:04 +0200] “GET /manbsbbd HTTP/1.1” 404
  4. 168.1.101 – [15/May/2019:10:08:04 +0200] “GET /uwriuiyr HTTP/1.1” 404
  5. 168.1.101 – [15/May/2019:10:08:04 +0200] “GET /iuqiuuqi HTTP/1.1” 404

Which of the following actions would BEST address the service impact caused by scanning?
A. Enable proper error handling on the web server
B. Run scans during off peak hours
C. Stop scanning the affected servers
D. Disable directory enumeration in the scanning policy

A

A. Enable proper error handling on the web server

30
Q

A security analyst receives the following output:

Time Action Host File Name User
12/15/2017 Policy Endpoint USB Transfer - Blocked Host1 Q3-Financials.PDF User

Which of the following MOST likely occurred to produce this output?
A. The host-based firewall prevented an attack from a Trojan horse
B. USB-OTG prevented a file from being uploaded to a mobile device
C. The host DLP prevented a file from being moved off a computer
D. The firewall prevented an incoming malware-infected file

A

C. The host DLP prevented a file from being moved off a computer

31
Q

NMAP -P 80 ==script hostmap=bfk.nse company.com
starting NMAP 6.46
NMAP scan report for company.com (172.255.240.169)

Port State Service
80/TCP open http

Host script results
hostmap-bfk
hosts:
172.255.240.169
web1.company.com
swebdb1.company.com
web3.company.com
swebdb2.company.com

NMAP done: scanned in 2.10 seconds

Which of the following BEST describes the scanned environment?
A. A host was identified as a web server that is hosting multiple domains
B. A host was scanned, and web-based vulnerabilities were found
C. A connection was established to a domain, and several redirect connections were identified
D. A web shell was planted in company.com’s content management system

A

B. A host was scanned, and web-based vulnerabilities were found

32
Q

Buffer overflow can be avoided using proper:

A. memory leak prevention
B. memory reuse
C. input validation
D. implementation of ASLR

A

C. input validation

33
Q

Which of the following systems, if compromised, may cause great danger to the integrity of water supplies and their chemical levels?

A. UAV
B. SCADA
C. HVAC
D. MFD

A

B. SCADA

34
Q

Which of the following threat actors is motivated primarily by a desire for personal recognition and a sense of accomplishment?

A. A script kiddie
B. A hacktivist
C. An insider threat
D. An industrial saboteur

A

A. A script kiddie

35
Q

After deploying an antivirus solution on some network-isolated industrial computers, the service desk team received a trouble ticket about the following message being displayed on the computers’ screens:

Your AV protection has blocked an unknown application while performing suspicious activities. The application was put in quarantine.

Which of the following would be the SAFEST next step to address the issue?
A. Immediately delete the detected file from the quarantine to secure the environment and clear the alert from the antivirus console.
B. Perform a manual antivirus signature update directly from the antivirus vendor’s cloud.
C. Centrally activate a full scan for the entire set of industrial computers, looking for new threats.
D. Check the antivirus vendor’s documentation about the security modules, incompatibilities, and software whitelisting.

A

D. Check the antivirus vendor’s documentation about the security modules, incompatibilities, and software whitelisting.

36
Q

A security analyst is investigating a report from an employee in the human resources (HR) department who is having sporadic issues with Internet access. When the security analyst pulls the UTM logs for the IP addresses in the HR group, the following activity is shown:

Host Destination Port Category User Grp Action

  1. 1.13.45 165.35.23.129 8080 News/Journalism General Block
  2. 1.13.45 89.23.45.11 443 Banking General Allow
  3. 1.13.46 76.4.3.19 8080 Business HR Users Allow
  4. 1.13.45 14.5.29.173 8080 Business General Block
  5. 1.13.45 10.1.1.29 443 Internal General Allow
  6. 1.13.46 19.34.1.189 443 Banking HR Users Allow
  7. 1.13.45 45.1.39.118 8080 Job Search General Block
  8. 1.13.46 45.1.39.118 8080 Job Search HR Users Allow

Which of the following actions should the security analyst take?
A. Ensure the HR employee is in the appropriate user group.
B. Allow port 8080 on the UTM for all outgoing traffic.
C. Disable the proxy settings on the HR employee’s device.
D. Edit the last line of the ACL on the UTM to: allow any any.

A

A. Ensure the HR employee is in the appropriate user group.